This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

When going to this URL, I'm presented to the login page. So I have to login first then I'm redirected to the Google Auth permission. So I granted permission to the app. Then it's redirected to http://localhost:8080/app/google/test again (This is the same redirect URI I declared in the Google Console API).

However, this time two parameters are added the state and the code. Why am I given these two parameters? Isn't OAuth2RestTemplate supposed to handle the OAuth dance for me?

Am I missing something?

I'm receiving the following exception:

Code:

org.springframework.security.oauth2.client.http.AccessTokenRequiredException: No OAuth 2 security context has been established. Unable to access resource 'oauth-resource'.
at org.springframework.security.oauth2.client.http.OAuth2ClientHttpRequestFactory.createRequest(OAuth2ClientHttpRequestFactory.java:55)
at org.springframework.http.client.support.HttpAccessor.createRequest(HttpAccessor.java:76)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:434)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:401)
at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:199)
at com.newmedia.jobboard.controller.GoogleAnalyticsController.test(GoogleAnalyticsController.java:56)

Comment

I can't see anything immediately wrong. What server platform are you on? Does tonr2 work on the same platform?

The error suggests that the OAuth2ClientContextFilter was not applied to your request. If you look at the whole stack trace you should be able to see it, and if not it's a config error that somehow gets the request to your controller without going through that filter.

N.B. the client support has changed a lot since M6. You might want to try with a more recent build (and use <oauth:rest-template/>).

Comment

Dave, just a heads-up. I'm using M6d now, but there is no <oauth:rest-template/>.

Anyway, I proceeded with my original configuration. Right after I updated to M6d, I got the following exception:

Code:

java.lang.IllegalStateException: No redirect URI has been established for the current request.
org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.getRedirectForAuthorization(AuthorizationCodeAccessTokenProvider.java:286)
org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:157)
org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainNewAccessTokenInternal(AccessTokenProviderChain.java:120)
org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainAccessToken(AccessTokenProviderChain.java:100)
org.springframework.security.oauth2.client.OAuth2RestTemplate.acquireAccessToken(OAuth2RestTemplate.java:194)
org.springframework.security.oauth2.client.OAuth2RestTemplate.getAccessToken(OAuth2RestTemplate.java:148)
org.springframework.security.oauth2.client.OAuth2RestTemplate.createRequest(OAuth2RestTemplate.java:89)

I fixed it by declaring a pre-established-redirect-uri (previously, this error wasn't visible):

[(FilterChainProxy.java:304:http-bio-8080-exec-5) 12:08:27]/google/test?state=CpPSCj&code=4/dwv5L9828YvOwHAc0hAggZtPBRVm.4kKXndclHesWuJJVnL49Cc90Mt-ebwI reached end of additional filter chain; proceeding with original chain

I got an access code there, and the next step in the OAuth dance should be an exchange for token (Spring is supposed to pass the access code in return for an access token).

Comment

OK, so it looks like the original error was the missing redirect uri. If you go back to M6 with your simplified config it would work. To use M6d you will need the <oauth:rest-template/> . It's there, I promise, but maybe your XML editor is not detecting the XSD in the jar file (if it goes to the internet to find it it will fail)?

Comment

Maybe you're right. My STS might have some issues refreshing the schema. I've examined the XSD inside the M6d jar and saw the rest-template element. So I used it anyway on my project and I get the invalid markup error. But when I run the application, it run. Apparently, it's an editor issue.

After running the application I was able to progress one step. However I got a new error:

I'm wondering why the Access Token is invalid or why is there an invalid request. Is there a way to show more logs? I'm already at debug level for log4j but unfortunately the explanation I got is just that.

is because the other parameters required in retrieving an access token is never passed by Spring. Based on Google's OAuth 2.0 docs, the following parameters need to be passed (of course with the correct data):

So my conclusion here is that in the first place Spring OAuth is not sending the correct HTTP parameters because if it did it would show in the Debug details and it would throw an invalid_grant error instead (if the values are wrong).

Comment

OK, so evidently Google doesn't allow client authentication in the Authorization header (which is the default for the SECOAUTH client and the recommended option in the spec). You would need to add client-authentication-scheme="form" to your resource declaration. If you look at the tonr2 sample you can see that Facebook has the same unnecessary restriction.

Comment

You should see the code and grant_type, and the client credentials (because of the special authentication scheme). Which of those did you not see? If you see them all then there must be another problem with the flow, and only the server would know probably what you are doing wrong, so if it isn't sending any more information back then you might be out of luck. Maybe you can monitor the responses from the auth server using a TCP monitor?

Comment

Dave, I will investigate more the sent parameters. But to answer your question, I didn't see those parameters when the app is requesting for an access token, though it's present in the authentication request.

I don't know if that has something to do with the Proxy tool I'm using or it's a server issue or an app issue.

I'm sorry though I tried setting that use-current-uri="false" but with the same issue.

Do you think it would help if I provide you a barebones Maven project with this current issue. Of course, you might need to create your own Google Analytics account and register an ID via the Google API Console? If this would help, I would gladly provide one.